193935 – Failure attempting to create trace file when running as non-root

Bug 193935 - Failure attempting to create trace file when running as non-root

Summary: Failure attempting to create trace file when running as non-root

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	tog-pegasus (Show other bugs)
Sub Component:	(Show other bugs)
Version:	4.0
Hardware:	All Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jason Vas Dias
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-06-03 01:10 UTC by Denise Eckstein
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:	RHBA-2006-0474
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-11-22 17:17:48 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Denise Eckstein 2006-06-03 01:10:38 UTC

Description of problem:

The "traceLevel" and "traceComponents" cimconfig options control tracing for 
both the cimserver and cimprovagt processes.

A Provider Agent Process writes its trace output to a file, in 
the /var/lib/Pegasus/cache/trace directory, whose name contains the associated 
provider module name. To ensure uniqueness (and avoid collisions in writing to 
the trace files), a user name is also appended to the trace file name. For 
example, the Provider Agent Process for the OperatingSystemModule in the 
context of user "A" writes to the trace 
file "cimserver.trc.OperatingSystemModule.A".

By default, only root has access to 
the /var/lib/Pegasus, /var/lib/Pegasus/cache/ and /var/lib/Pegasus/cache/trace 
directories.

# chmod 777 Pegasus
# chmod 777 Pegasus/cache
# chmod 777 Pegasus/cache/trace

Note: Permissions on trace files allow read and write access to only the 
owner. E.g.,

-rw------- 1 root root 66550 May 6 15:03 cimserver.trc
-rw------- 1 guest pegasus 6921 May 6 15:03 
cimserver.trc.OperatingSystemModule.guest
-rw------- 1 root root 866 May 6 15:03 cimserver.trc.OperatingSystemModule.root

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Configure OS Provider to Run-As-Requestor
2. Enable tracing
   2A. # cimconfig -s traceLevel=4
   2B. # cimconfig -s traceComponents=ALL
  
Actual results:


Expected results:


Additional info:

Comment 1 Jason Vas Dias 2006-06-05 18:39:00 UTC

OK, the next version will enable mode 0770 for /var/lib/Pegasus/cache/trace .
I don't think users not in the pegasus group need write / seach access to
/var/lib/Pegasus/cache/trace - users must be in the pegasus group in order
to connect to the cimserver, so I think mode 0770 should be sufficient, not 0777.
I do not think we want to enable mode 0770 for /var/lib/Pegasus/cache, else
any user could delete the /var/lib/Pegasus/cache/localauth directory, thus
disabling local authentication.

Comment 2 Denise Eckstein 2006-06-05 21:25:58 UTC

Sounds good.  If the administrator configures OpenPegasus to allow access by 
non-pegasus group users, they'll also need to change permissions on these 
directories to ...

# chmod 755 Pegasus
# chmod 755 Pegasus/cache
# chmod 777 Pegasus/cache/trace

but we can document this.

Thanks!

Comment 4 Bill Nottingham 2006-11-22 17:17:48 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0474.html

Note You need to log in before you can comment on or make changes to this bug.

TreeView+

- Top of page